This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Failed to Install Correctly, But Cannot Be Uninstalled.

Sophos Anti-Virus Major Install Log_181018_052239
2018-10-18 12:22:38 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:38 Info: Detected version of SAV has major version number: 10
2018-10-18 12:22:38 Info: Using Sophos updating modes (MSI: N, VDL: 2, IDE: 2)
2018-10-18 12:22:38 GetProperty() - Unable to get product-type
2018-10-18 12:22:38 Info: productType: 0
2018-10-18 12:22:38 PROCESSOR_ARCHITECTURE environment variable is: AMD64
2018-10-18 12:22:38 Info: Logging started: installing/upgrading Sophos Anti-Virus
2018-10-18 12:22:38 Info: InstallFromPath is: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\
2018-10-18 12:22:38 Info: InstallToPath is:
2018-10-18 12:22:38 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:38 Info: Detected version of SAV has major version number: 10
2018-10-18 12:22:38 Info: Detected version of SAV has minor version number: 8
2018-10-18 12:22:38 Info: SetupPlugin: Unable to open Application registry key to get Install Path.
2018-10-18 12:22:38 Info: registryInstallTo [overriding InstallToPath] is:
2018-10-18 12:22:38 Checking for problem versions of SAVI - Install path:
2018-10-18 12:22:38 Veex.dll version ''
2018-10-18 12:22:38 INFO: Checking the validity of the VDL manifest file.
2018-10-18 12:22:39 INFO: The manifest file has been successfully validated.
2018-10-18 12:22:39 INFO: Checking the validity of the AppFeed manifest file.
2018-10-18 12:22:39 INFO: The manifest file has been successfully validated.
2018-10-18 12:22:39 Info: Install source location passed to ReadCatalog() is empty. Reverting to a full update.
2018-10-18 12:22:39 Info: Feature change, From: 'AV,CRT,HIPS,PUA,URLSCRTY'  To: 'AV,CRT,DLP,DVCCNTRL,HIPS,PUA,URLSCRTY,WEBCNTRL'
2018-10-18 12:22:39 Info: Managed install (from SAU)
2018-10-18 12:22:39 Info: MSXML6 is installed
2018-10-18 12:22:39 Check for UI changes
2018-10-18 12:22:39 Unable to open SAV application key
2018-10-18 12:22:39 Unable to open SAV application key
2018-10-18 12:22:39 Checking the integrity of the extant SAV installation (noUI is 0)
2018-10-18 12:22:39 The file \WSCClient.exe does not exist(2)
2018-10-18 12:22:39 The file \SavService.exe does not exist(2)
2018-10-18 12:22:39 The file \SavAdminService.exe does not exist(2)
2018-10-18 12:22:39 The file \BackgroundScanClient.exe does not exist(2)
2018-10-18 12:22:39 The file \ComponentManager.dll does not exist(2)
2018-10-18 12:22:39 The file \ICAdapter.dll does not exist(2)
2018-10-18 12:22:39 The file \ICManagement.dll does not exist(2)
2018-10-18 12:22:39 The file \ICProcessors.dll does not exist(2)
2018-10-18 12:22:39 The file \ThreatDetection.dll does not exist(2)
2018-10-18 12:22:39 The file \VirusDetection.dll does not exist(2)
2018-10-18 12:22:39 The file \SavControl.dll does not exist(2)
2018-10-18 12:22:39 The file \SavMain.exe does not exist(2)
2018-10-18 12:22:39 The file \SavProgress.exe does not exist(2)
2018-10-18 12:22:39 The file \DesktopMessaging.dll does not exist(2)
2018-10-18 12:22:39 The file \SavShellExt.dll does not exist(2)
2018-10-18 12:22:39 There is an incomplete SAV installation, forcing a Major Update to recover
2018-10-18 12:22:39 One or more callout driver files are missing - forcing re-install of SAV
2018-10-18 12:22:39 Info: Performing major update of Sophos Anti-Virus using msi.
2018-10-18 12:22:39 Info: Update is signalled.
2018-10-18 12:22:39 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:39 In KB2918614Workaround().
2018-10-18 12:22:39 Leaving KB2918614Workaround().
2018-10-18 12:22:39 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:39 Product code of SAV currently installed: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:39 Product code of SAV to be installed:     {C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB}
2018-10-18 12:22:39 ERROR: GetVersion - Unable to load the new Factory file, path = C:\ProgramData\Sophos\Sophos Anti-Virus\Config\Factory.xml
2018-10-18 12:22:39 ProductCode change detected
2018-10-18 12:22:39 Info: Added SAVService to ServicesList.
2018-10-18 12:22:39 Info: Added SAVAdminService to ServicesList.
2018-10-18 12:22:39 Info: Added Sophos Device Control Service to ServicesList.
2018-10-18 12:22:39 Info: Added SophosBootDriver to ServicesList.
2018-10-18 12:22:39 Info: Added swi_service to ServicesList.
2018-10-18 12:22:39 Info: Added swi_filter to ServicesList.
2018-10-18 12:22:39 Info: Added Sophos Web Control Service to ServicesList.
2018-10-18 12:22:39 Info: Added SAVOnAccess to ServicesList.
2018-10-18 12:22:39 Info: component SAV is not registered - skipping.
2018-10-18 12:22:39 Info: component SDC is not registered - skipping.
2018-10-18 12:22:39 Info: component SCS is not registered - skipping.
2018-10-18 12:22:39 Info: component SWI is not registered - skipping.
2018-10-18 12:22:39 Info: component SWC is not registered - skipping.
2018-10-18 12:22:39 Info: Detected an older version of SAV, version 10.8. Doing a major update.
2018-10-18 12:22:39 Info: Set Update Begin
2018-10-18 12:22:39 Unable to create an instance of ComponentManager - SystemInformation will not be informed of the update (0x80040154)
2018-10-18 12:22:39 Info: Added SAVService to ServicesList.
2018-10-18 12:22:39 Info: Added SAVAdminService to ServicesList.
2018-10-18 12:22:39 Info: Added Sophos Device Control Service to ServicesList.
2018-10-18 12:22:39 Info: SophosBootDriver was found to not be installed - skipping.
2018-10-18 12:22:39 Info: swi_service was found to not be installed - skipping.
2018-10-18 12:22:39 Info: swi_filter was found to not be installed - skipping.
2018-10-18 12:22:39 Info: Added Sophos Web Control Service to ServicesList.
2018-10-18 12:22:39 Info: All services reported they accept stop controls.
2018-10-18 12:22:39 Info: Stop SAVService
2018-10-18 12:22:39 Info: Convert boot tasks
2018-10-18 12:22:39 Info: CopyFilesToTemp
2018-10-18 12:22:39 ERROR: StoreTempFiles - failed to copy machine file - not present, hr = 0x0
2018-10-18 12:22:39 Warning: configuration will not be preserved
2018-10-18 12:22:39 Info: Reading overrides from registry
2018-10-18 12:22:39 Info: Getting registered UI plugins from registry
2018-10-18 12:22:39 Info: Uninstall old SAV
2018-10-18 12:22:39 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:39 Unable to delete registry key: SOFTWARE\Sophos\Telemetry\Plugins!
2018-10-18 12:22:39 Info: Running Uninstall of previous version using command line: msiexec.exe /x {6654537D-935E-41C0-A18A-C55C2BF77B7E} REBOOT=ReallySuppress /qn  UNINSTALLDRIVERS=1 UNINSTALLCLASSFILTER=0 UNINSTALLBOOTDRIVERS=1 UNINSTALLKMSDRIVERS=1 CHECKFORSCF=0  INSTALLINGVERSION="10.8.2.334" /Lvp "C:\Windows\TEMP\Sophos Anti-Virus Uninstall Log_181018_052239.txt"
2018-10-18 12:22:39 Info: Finished waiting for Uninstallation of previous version. Status returned was 0l.
2018-10-18 12:22:39 WARNING: SAV uninstall failed with error 1612
2018-10-18 12:22:39 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
2018-10-18 12:22:39 Info: Detected version of SAV has major version number: 10
2018-10-18 12:22:39 Info: Detected version of SAV has minor version number: 8
2018-10-18 12:22:39 ERROR: Uninstall of SAV, version = 10.8.1, succeeded but IsSAVInstalled is true (10.8.1).
2018-10-18 12:22:39 ERROR: Upgrade failure
2018-10-18 12:22:39 Info: SetupPlugin: Unable to open Application registry key to get Install Path.
2018-10-18 12:22:39 ERROR: Failed to get current install location to register with tamper protection. Error 0x80070002
2018-10-18 12:22:39 Info: Set Update Failed
2018-10-18 12:22:39 Unable to create an instance of ComponentManager - SystemInformation cannot be informed of end of update

Sophos Anti-Virus Uninstall Log_181018_052239
=== Verbose logging started: 10/18/2018  12:22:39  Build type: SHIP UNICODE 5.00.9600.00  Calling process: C:\Windows\SysWOW64\msiexec.exe ===
MSI (c) (18:50) [12:22:39:469]: Resetting cached policy values
MSI (c) (18:50) [12:22:39:469]: Machine policy value 'Debug' is 0
MSI (c) (18:50) [12:22:39:469]: ******* RunEngine:
           ******* Product: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
           ******* Action:
           ******* CommandLine: **********
MSI (c) (18:50) [12:22:39:469]: Client-side and UI is none or basic: Running entire install on the server.
MSI (c) (18:50) [12:22:39:469]: Grabbed execution mutex.
MSI (c) (18:50) [12:22:39:485]: Cloaking enabled.
MSI (c) (18:50) [12:22:39:485]: Attempting to enable all disabled privileges before calling Install on Server
MSI (c) (18:50) [12:22:39:485]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (EC:4C) [12:22:39:485]: Running installation inside multi-package transaction {6654537D-935E-41C0-A18A-C55C2BF77B7E}
MSI (s) (EC:4C) [12:22:39:485]: Grabbed execution mutex.
MSI (s) (EC:E8) [12:22:39:485]: Resetting cached policy values
MSI (s) (EC:E8) [12:22:39:485]: Machine policy value 'Debug' is 0
MSI (s) (EC:E8) [12:22:39:485]: ******* RunEngine:
           ******* Product: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
           ******* Action:
           ******* CommandLine: **********
MSI (s) (EC:E8) [12:22:39:485]: Machine policy value 'DisableUserInstalls' is 0
EC:E8) [12:22:39:501]: Note: 1: 1706 2: -2147483647 3: Sophos Anti-Virus.msi
MSI (s) (EC:E8) [12:22:39:501]: Note: 1: 1706 2:  3: Sophos Anti-Virus.msi
alue 'SearchOrder' is 'nmu'
MSI (s) (EC:E8) [12:22:39:485]: User policy value 'DisableMedia' is 0
MSI (s) (EC:E8) [12:22:39:485]: Machine policy value 'AllowLockdownMedia' is 0
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Media enabled only if package is safe.
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Looking for sourcelist for product {6654537D-935E-41C0-A18A-C55C2BF77B7E}
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Adding {6654537D-935E-41C0-A18A-C55C2BF77B7E}; to potential sourcelist list (pcode;disk;relpath).
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Now checking product {6654537D-935E-41C0-A18A-C55C2BF77B7E}
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Media is enabled for product.
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Attempting to use LastUsedSource from source list.
MSI (s) (EC:E8) [12:22:39:485]: SOURCEMGMT: Trying source C:\ProgramData\Sophos\AutoUpdate\cache\savxp\.
MSI (s) (EC:E8) [12:22:39:485]: Note: 1: 1402 2: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3: 2
MSI (s) (EC:E8) [12:22:39:501]: SOURCEMGMT: Source is invalid due to invalid package code (product code doesn't match).
MSI (s) (EC:E8) [12:22:39:501]: Note: 1: 1706 2: -2147483646 3: Sophos Anti-Virus.msi
MSI (s) (EC:E8) [12:22:39:501]: SOURCEMGMT: Processing net source list.
MSI (s) (EC:E8) [12:22:39:501]: Note: 1: 1706 2: -2147483647 3: Sophos Anti-Virus.msi
MSI (s) (EC:E8) [12:22:39:501]: SOURCEMGMT: Processing media source list.
MSI (s) (EC:E8) [12:22:39:501]: Note: 1: 2203 2:  3: -2147287037
MSI (s) (EC:E8) [12:22:39:501]: SOURCEMGMT: Source is invalid due to missing/inaccessible package.
MSI (s) (EC:E8) [12:22:39:501]: Note: 1: 1706 2: -2147483647 3: Sophos Anti-Virus.msi
MSI (s) (EC:E8) [12:22:39:501]: SOURCEMGMT: Processing URL source list.
MSI (s) (EC:E8) [12:22:39:501]: Note: 1: 1402 2: UNKNOWN\URL 3: 2
MSI (s) (MSI (s) (EC:E8) [12:22:39:501]: SOURCEMGMT: Failed to resolve source
MSI (s) (EC:E8) [12:22:39:501]: MainEngineThread is returning 1612
MSI (s) (EC:4C) [12:22:39:501]: User policy value 'DisableRollback' is 0
MSI (s) (EC:4C) [12:22:39:501]: Machine policy value 'DisableRollback' is 0
MSI (s) (EC:4C) [12:22:39:501]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (EC:4C) [12:22:39:501]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (EC:4C) [12:22:39:501]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (EC:4C) [12:22:39:501]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (18:50) [12:22:39:501]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (18:50) [12:22:39:501]: MainEngineThread is returning 1612
=== Verbose logging stopped: 10/18/2018  12:22:39 ===



This thread was automatically locked due to age.
Parents
  • Hi Robert X Ha,

    2018-10-18 12:22:38 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2018-10-18 12:22:38 Info: Detected version of SAV has major version number: 10
    2018-10-18 12:22:38 Info: Detected version of SAV has minor version number: 8
    2018-10-18 12:22:38 Info: SetupPlugin: Unable to open Application registry key to get Install Path.

    Please try these steps as they show the same key and how to uninstall it: 
    community.sophos.com/.../382874

    If the issue persists, please provide this info:

    Did you disable tamper protection prior to uninstalling?
    Also, can you verify you have the correct permissions on your registry?
    How to apply permissions to a Windows registry key

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Reply
  • Hi Robert X Ha,

    2018-10-18 12:22:38 Detected version of SAV with product code: {6654537D-935E-41C0-A18A-C55C2BF77B7E}
    2018-10-18 12:22:38 Info: Detected version of SAV has major version number: 10
    2018-10-18 12:22:38 Info: Detected version of SAV has minor version number: 8
    2018-10-18 12:22:38 Info: SetupPlugin: Unable to open Application registry key to get Install Path.

    Please try these steps as they show the same key and how to uninstall it: 
    community.sophos.com/.../382874

    If the issue persists, please provide this info:

    Did you disable tamper protection prior to uninstalling?
    Also, can you verify you have the correct permissions on your registry?
    How to apply permissions to a Windows registry key

    Regards,

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

Children
  • I am running the x86 on 64-bit, so in registry, I confirmed that SYSTEM & the account I am using has Full Control permissions to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6654537D-935E-41C0-A18A-C55C2BF77B7E}

    in elevated command prompt, I ran the following command but it generates the dialog box depicted below:
    MsiExec.exe /X{6654537D-935E-41C0-A18A-C55C2BF77B7E} /L*v %windir%\Temp\SAV_Uninstall_Log.txt

    and when I navigate to the folder where the MSI should be (from what I understand), the contents are empty:

    Please advise further.

  • Hello Robert X Ha,

    Sophos Endpoint Failed to Install Correctly, But Cannot Be Uninstalled
    this is not the whole story. The log shows that during the attempt to install 10.8.2.334 (from this I assume it's the on-premise SESC) install information from an older version (10.8.1) has been found that has to be uninstalled.
    This is definitely not an initial install. Furthermore, as SAV is normally installed by AutoUpdate (and InstallFromPath is: C:\ProgramData\Sophos\AutoUpdate\cache\savxp\ suggests this is the case) the latter should be installed and if so, %ProgramData%\Sophos\ should not be empty but at least contain AutoUpdate's data folders and files. Apparently the contents "have disappeared" - after the failed uninstall/install and before you browsed to this location.
    A puzzling thing is that it looks for Sophos Anti-Virus.msi to uninstall, normally it should use a cached MSI from %windir%\Installer\. Anyway, if I'm not mistaken it did find Sophos Anti-Virus.msi in C:\ProgramData\Sophos\AutoUpdate\cache\savxp\: SOURCEMGMT: Source is invalid due to invalid package code (product code doesn't match) is the expected error as the cache contains the MSI for 10.8.2 (ProductCode {C4EDC7DA-3AF8-4E99-ACAC-4C1A70F88CFB}), not the one from 10.8.1 (this is another indication that %ProgramData%\Sophos\ wasn't empty at this time.

    [@ Barb@Sophos]
    The install logic essentially doesn't more than calling msiexec.exe /x {6654537D-935E-41C0-A18A-C55C2BF77B7E}, and it also requests a log. Therefore calling msiexec.exe from the command line fails with the same error and the log likely provides no additional insight. The only difference is the pop-up that appears because on the command line the /qn display options (quiet, no UI) were omitted.
    Jak's post applies to cases when uninstalling from the Control Panel - that doesn't create an associated log - fails.

    To successfully uninstall the correct Sophos Anti-Virus.msi is needed. If you don't have it "somewhere" add a Subscription and select the Previous Recommended package. Wait until it is deployed, copy the MSI from the new CID (...\SAVSCFXP\savxp\) to a local folder. As %ProgramData%\Sophos\ is empty (for whatever reason) the "old" installation might no longer be healthy and uninstall could again fail. Therefore (while you could right-click the MSI and select Uninstall) it's better to use msiexec.exe from the command line:  MsiExec.exe /X "\path\to\Sophos Anti-Virus.msi" /L*v %windir%\Temp\SAV_Uninstall_Log.txt.
    If it still fails please post the SAV_Uninstall_Log.txt.

    Christian

  • @ QC,

    Definitely good info there. I was trying to get some sort of output, as we do have a KBA that seems to match what I see in his logs (however, I needed to confirm as sometimes, they can be tricky):Error 1610 or Error 1612 occurs when upgrading or uninstalling Sophos Endpoint Security and Control

    @Robert X Ha,

    Please let us know how it goes following QC's steps. And if needed, please provide additional logs, and do have a look at the above listed article. 

    Thanks! 

    Barb@Sophos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

     

  • I was unable to locate a previous version of the .MSI from the Sophos Enterprise Console; however, I have a lead on an otherwise offline computer that may be running that previous version of the SAV, from which i may be able to copy its .msi for the purposes of uninstalling it from the client computer. The rest of our systems seem to already be running the updated version.

    I will update this when I have had a chance to obtain that .MSI & run it on the affected client computer.